FTC Issues First Major COPPA Rule Update in Over a Decade

FTC Issues First Major COPPA Rule Update in Over a Decade

According to an article by the Davis, Wright, Tremaine firm, the Federal Trade Commission (FTC) published a significant overhaul of the Children’s Online Privacy Protection Act (COPPA) Rule on April 22, 2025, the first major update since 2013. 

The final Rule, effective June 23, 2025, reflects the agency’s response to evolving technologies and children’s online behavior, and incorporates public feedback gathered since 2019. While the FTC adopted most of the proposed amendments issued earlier this year, it deferred changes specific to education technology providers due to anticipated updates to the Family Educational Rights and Privacy Act (FERPA). Regulated entities have until April 22, 2026, to comply with most provisions.

The revised Rule tightens and clarifies operators’ obligations regarding data collection, use, and security for users under 13. Notably, it introduces a formal definition for “mixed audience” services—those that attract both children and older users—requiring neutral age screening and compliance with COPPA protections for child-directed sections. 

Key terms like “personal information” and “online contact information” are broadened to include biometric data and mobile numbers. Updated consent rules now mandate separate approvals for disclosures to third parties unless deemed integral to the service. New methods for obtaining verifiable parental consent, including text messaging, knowledge-based authentication, and photo ID verification, are also authorized under specific safeguards.

The changes are centered on increased security, retention, and deletion requirements. Operators must implement formal information security programs and obtain written assurances from third parties handling children’s data. The COPPA Rule also imposes enhanced transparency and reporting obligations for FTC-approved safe harbor programs.

For compliance and risk professionals, the key takeaway is clear: now is the time to audit existing COPPA compliance programs. Operators and safe harbor entities must align their practices with the updated Rule’s expanded definitions, consent mechanisms, and security protocols to avoid regulatory exposure.